WIP: monitoring improvements

Possible to add it back with a proper database, but all-in-one keeps everything in memory.

.idea/alpina.iml

@@ -24,6 +24,7 @@
     <option name="TEMPLATE_FOLDERS">
       <list>
         <option value="$MODULE_DIR$/roles/docker_host/templates" />
+        <option value="$MODULE_DIR$/roles/alpina/templates" />
       </list>
     </option>
   </component>

.idea/jsonSchemas.xml

@@ -74,6 +74,9 @@
                   <Item>
                     <option name="path" value="file:///run/user/1000/kio-fuse-kipURF/sftp/root@debbi.lab.home/mnt/dock/traefik/rules/hello-world.yml" />
                   </Item>
+                  <Item>
+                    <option name="path" value="roles/alpina/templates/services/traefik/rules/traefik-dash.yml.j2" />
+                  </Item>
                 </list>
               </option>
             </SchemaInfo>

README.md

@@ -3,6 +3,9 @@
 A home for configuring all of my homelab containers on a Debian Linux machine.
 This assumes a Debian Linux machine with Docker and Docker Compose installed.
 
+My particular setup is based on a [jailmaker](https://github.com/Jip-Hop/jailmaker) container
+running on top of TrueNAS SCALE, separating all the docker stuff from the appliance.
+
 # Notes
 
 ## IPv6
@@ -16,3 +19,41 @@ that uses the IP of this host as the gateway.
 This is a limitation of my current ISP, I only have a single /64 subnet for my lab network.
 I'd like to get a /56 or /48, perhaps using Hurricane Electric's tunnel broker.
 *Sigh* ISPs being stingy with the 2^48 prefixes they're afraid of running out of.
+
+## Upgrading Postgres
+Upgrading the postgres container for a given stack requires a dump and restore.
+
+After making a snapshot or backup of postgres data directory,
+in the compose directory for a given stack, run the following commands:
+```bash
+docker compose down
+docker compose up -d <db_service>
+docker compose exec -it <db_service> pg_dumpall -U <db_user> | tee /tmp/dump.sql
+docker compose down
+
+rm -r <postgres_data_dir>/*  # as root
+# Edit the docker-compose.yml file to use the new postgres image
+docker compose up -d <db_service>
+# For some reason, compose exec doesn't like the input redirection
+docker exec -i <db_container_name> psql -U <db_user> < /tmp/dump.sql
+docker compose up -d
+rm /tmp/dump.sql
+```
+
+Additionally, if upgrading from postgres <= 13, it is necessary to upgrade the
+password hashes. This can be done by running the following command:
+```bash
+docker compose exec -it <db_service> psql -U <db_user> -c "\password"
+```
+
+## Nextcloud
+Nextcloud requires some additional work to set up notify_push.
+
+- Initially, comment out the notify_push service in the docker compose.
+- Set up nextcloud and install the Client Push (notify_push) app.
+- Uncomment the notify_push service in the docker compose and `up -d` the stack.
+- ```bash
+  docker compose exec app ./occ notify_push:setup https://nc.<domain>/push
+  ```
+
+I should probably get around to automating this at some point.

group_vars/alpina/vars.yml

@@ -0,0 +1,50 @@
+# Shared variables between environments
+
+---
+alpina_svc_path: ~/alpina
+base_volume_path: /mnt/dock
+media_volume_path: /mnt/media
+
+traefik_subnet: 172.16.122.0
+
+# Authentik
+authentik_db_password: "{{ vault_authentik_db_password }}"
+authentik_secret_key: "{{ vault_authentik_secret_key }}"
+
+authentik_sendgrid_api_key: "{{ vault_authentik_sendgrid_api_key }}"
+
+auth_grafana_client_secret: "{{ vault_auth_grafana_client_secret }}"
+arrstack_password: "{{ vault_arrstack_password }}"
+
+# Minio
+minio_password: "{{ vault_minio_password }}"
+
+# Monitoring
+## auth_grafana_client_secret:
+influxdb_admin_password: "{{ vault_influxdb_admin_password }}"
+influxdb_admin_token: "{{ vault_influxdb_admin_token }}"
+
+alertmanager_discord_webhook: "{{ vault_alertmanager_discord_webhook }}"
+
+# Traefik
+acme_email: "{{ vault_acme_email }}"
+cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
+
+# Arrstack
+wg_peer_pubkey: "{{ vault_wg_peer_pubkey }}"
+vpn_server_names: "{{ vault_vpn_server_names }}"
+
+# Gitea
+gitea_db_password: "{{ vault_gitea_db_password }}"
+gitea_sendgrid_api_key: "{{ vault_gitea_sendgrid_api_key }}"
+## Security
+secret_key: "{{ vault_secret_key }}"
+internal_token: "{{ vault_internal_token }}"
+jwt_secret: "{{ vault_jwt_secret }}"
+
+# Jellyfin
+
+# Nextcloud
+nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
+redis_password: "{{ vault_redis_password }}"
+nextcloud_sendgrid_api_key: "{{ vault_nextcloud_sendgrid_api_key }}"

group_vars/alpina/vault.yml

@@ -0,0 +1,96 @@
+$ANSIBLE_VAULT;1.1;AES256
+32653863663065353431636364373163613536643238613961666561653663633530646165643766
+3833323937353331313136633965393061616135366534660a333037383066303431623830313464
+65346431633238666534373033663138353438313762326361666233353866663534363536643034
+3636323439316261630a623262336331663431633266336235653034323234383566323963623365
+32626363626164373536663464643632393761346137623866633237643038306265636362626561
+61313634353634373530383061393364613461303132326335316566326436633635633131643433
+31376539396639326464333233643933373737313064363262323639363964643862633035396161
+35643037636535623966626131393538643432396536643365383736636262356135373434376433
+32316361343330303431376234323632323932376635343964383733633761326639393966383039
+35646131343034663962363335373661323065663764396631343461383661663738386163323633
+36303464646532633235663662666663343238633465663334326463383133643239666634653739
+35396130393961303230396236303766336666643930626161333338326137663235323066663032
+33376564373563323635356233616264313663373534333636643236393866613062656338353864
+66386132663362363832366661646462316139353132626662663934336530386534376538633235
+62653131653835323261373435373631396466353738306362616266616532313435323633613933
+61646132346536323632643865326234356535346566346532383162393265613931343962303463
+31636334343736666434353835633734396465653862613234386431306463326134613931646232
+32353535663133623434643866336165616232613662336533383432633338373763643337616637
+38323237646461376433316164646366383438316639633162303739383263656265633364303565
+36643339356136653332666230633939636264306431636562323864373037623138363739616561
+37613364653737353638646564323439646138646536636564303866636233616264383466656439
+33646232653061616437656162353036313834616162313936353533393833313432656534343363
+35636638326236646163323463356634326534623165306461316530353936646162323435633862
+64396464303363323837316162353734626663643962303534336637336632333463393734383532
+66616534666466393333386337363238383432643764373864613461363766333932333862363332
+61313364613031376334326635636432346532613462613265643462636436663963323862353733
+38396261613332396633666130653262313234633132353264363266336231373535306532383661
+65323530653531646339626537653433303332656535346639393466353133363833326236656231
+33336265373463396135653730616266346331376461346433343464326238323034653330393732
+36643432316662333633333036633761653031393433333338663633386264656535623534653463
+36363565303333356361616539376532353066336137336134656465383364636361656664356439
+65326334643631663665376530646433323439653864623964323363396561313663636538356536
+63626336303862333364363166353437353163656238303765636662636137383337623563666264
+66326633343230386638616438393436633431343264343231386563613935626430306337343533
+66656366333332326131343661356236396430303832303834653530623639353036663436373862
+61336437386338343965653563646664643438353232306231316564616462643236646239333062
+38643461346639623964626438396631396139383332666130316635656530653136333662353566
+36313261646330373963663032316662383137366436636534383366636362366435393036373264
+34646537666462363531343335336638343038333633663862666163306662643634326533316561
+61613235366233636530663462353066646530386265623534663336376364323237343936646134
+31616563653864383565306439613932396562613835613562326264326535636630646666366335
+36653631353961353933386236636534393636356334633336313333383238353838336335646630
+63633365666530623562323634303935326362643762616532303531303139333565643835396163
+36353130656365326435343130613234336637346461313639653133623933376163393935366266
+66653337353732363038663164363663623266356366663637343466393836353965343730666362
+38663636336265383331666666616535366334616431306164303738306436333364653765356662
+37316433323563323431623164386337343563663538333435616333343433396236356363333262
+61396664326234343136666331356465333233663135613839616334623033316362336162613731
+38646530326538643337323838326563303130643934623939346635343331356531373235663937
+62396530383365666439373632613633633233376139616138323033613135383330333132643839
+65363833616337656662653462323436303531653635663739633366616532333761323238353764
+39373836303735393165393435323139346661346135636138613731373165386533386333393364
+32336265386334386338653734353565343733393931373436336233333031356531313739636666
+61376234393631343236643137616631373564376132623534333939346162353662306661393438
+32326566373934653463653737383131386431363664333535626361646637613632383132623533
+32343465366562363765353366333330633631353936613930376631336538306230626632303966
+31343936386535663165663066663862656439306363326337313561396132316338363930323632
+33313061623534373338623931663934396339633564353533626639373837323832366132343538
+63373862663137306665383732303863343564343830636233613139666631626532373938386663
+35646331646462356639383964373732393866653963643832633661323430323430613330633364
+35343262366362646165383032333236623863656264353964623136643631326135623538306261
+37393839343331653665356131343063316232303963636462653238333466636334616435666463
+65636662383930353238623130363834616137643830633261646338363435343839633565303562
+37623231396163346464303464333962336261353634396236613132306464643764356265656137
+32373263613964396430646332666235303634373431643939623963633334326135626565656662
+30646166303732643562653166633232666635343665616665653566316632303861613861313333
+38393636663137333231613239353661656338333536656563616237343234623031363535666637
+61343662663965663161666436366630366432363733663537613064386130326466343366383232
+32363662343561666665323565356163383932336361656132373263363239636666613461366339
+31323264393866386239353333386161643330343262366666323533303737373163313262313766
+61303638366263346232353134333431613730386431623235323537323962666133613939353762
+63326361633630323937353163383930626336663365626532613031623532393932316138353335
+32363262393764663135393466616639373965313238323935383531633434633038663437646662
+31633265373937316533373332316132363061386133356231623230393739326464333761336338
+38626234646164616265633061346239363164376532383834356435346232653065326362343363
+39613532356166633133626563643238373661323937353635343464666339323561326136623366
+62633637656462376136633963653263346565366563646533373431613761616231653739613537
+32343332356435393635363837396463613165626337346235303363613764306132343539333836
+63386633626332396339383165303166653334663239313066666632356165643161356262346230
+32636365636364663466343939663538386439343336303537636230306263643534653339313538
+31373165363962373337636138336561336638633762373363646139366339323031313664306534
+30623130663037323839666166323162393065643535663866383062356330633137343239316436
+32303132393739653363376138633430313832383165663366626436653033663637616664346632
+63633439663734393236343265323533633639316133323336373064633138363266316135363335
+31336637666331333139306537333565333064666433653730633430336261656665613263663937
+64313230656333373838346439623061393164393239393934306336373063303934663334353532
+31313637623466313835313566616161376230343532653561343364383133653736646338303631
+36356164303630303433356332343630616465383831623036383833393330663566616333653161
+63393361643266323336393962663263323338633634633033393762656139393665353630633637
+39386462303731396261613961613238616237373332656361303139633763303837653765623464
+64333565666532653864383861333433353731343161613231383836353966353636373762306132
+35333536373939656638356333383135313231306433656536383933623634653263353434393238
+32323037666135316337633465666335376332326633346665643333656139386465353134356636
+36333434303538326135346539313734393939353163316666366438613133333464623732666438
+663934323030303937623038343662646163

group_vars/docker_hosts.yml

@@ -1,6 +0,0 @@
----
-my_svc_path: ~/alpina
-base_volume_path: /mnt/dock
-media_volume_path: /mnt/media
-
-traefik_subnet: 172.16.122.0

inventories/prod/group_vars/all.yml

@@ -1,47 +1 @@
 domain: cazzzer.com
-
-wg_privkey: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  31663639306133623739366363353430303338656137386434303862346434633665333434613931
-  3430313162333937636234313761366337393431616630330a393962643962353234343431653439
-  35323966643531386538643636623439636633326638316233386266343964333563306330383437
-  6132333063626365330a353232366464636663633236383563343834316164636434613639363765
-  37653738663463303236333232663338623034363737643138303238663033323361373064343334
-  3762303565343765393332626565333637643462353631343833
-
-wg_psk: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  31353436343638306237623864633533626662376362656531616665356333326238353533306438
-  3164646631633464313966353533633137643234333264650a666134613666613262323461306131
-  32383438363566653766613337363236616139616661343930656362636366346133353137366639
-  3762623635386330320a643465396563666562383261623964396431366466663766303939336434
-  61626434363763303637316165343566383064613663626339366635343537646130323731376461
-  6231346162313465323739623939306436656438336565336436
-
-wg_addresses: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  66306130383462373166306561663431366262626537393330373061616636306433323734643632
-  6332363262346630353338626632353039636666636264340a616537363638386635383934303533
-  34376136636334616332626161386435333031363931616331363232313338346234316361383033
-  3236626331333032390a353466323863326565386531643335653565386433613431623337313666
-  32643065653763643563623232313262316534326266386135633463623966636532356463653765
-  32656333623032633263643539336537313536326263303465373066633738353832363064306465
-  353636666162393734333338653834366333
-
-fw_vpn_input_ports: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  36353933613361353132366636386138616336323437616366613164633036343234313338303830
-  3662663462346134343338363264303030663935393865650a666161633163383437373139663362
-  35666633363762633135616630336239623065366266633335623832323762613565376166383131
-  6163646561353335360a386664386166626134366339393566613461626230323836646139316463
-  3938
-
-github_consumer_key: 32d5cae58d744c56fcc9
-github_consumer_secret: !vault |
-          $ANSIBLE_VAULT;1.2;AES256;alpina
-          36353230356266303131333732363736383633313038326161346434303061633464393738383433
-          3933343436316530306439326237353265363333656264620a373036383835313733303561333233
-          33343834313163613037643734653535306365326536383532366166313261323265616133333865
-          3362663865666466320a363338303436626532393665663564313937366362326263396431316538
-          33396237333766666635333039643338333133346636363966326437646334636138353934333834
-          3139363661653364306231303966346333643166326536383164

inventories/prod/group_vars/alpina/vars.yml

@@ -0,0 +1,14 @@
+# Environment specific variables (prod)
+
+---
+docker_ipv6_index: 255
+
+# Arrstack VPN
+wg_privkey: "{{ vault_wg_privkey }}"
+wg_psk: "{{ vault_wg_psk }}"
+wg_addresses: "{{ vault_wg_addresses }}"
+fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
+
+# Authentik GitHub OAuth
+github_consumer_key: 32d5cae58d744c56fcc9
+github_consumer_secret: "{{ vault_github_consumer_secret }}"

inventories/prod/group_vars/alpina/vault.yml

@@ -0,0 +1,21 @@
+$ANSIBLE_VAULT;1.1;AES256
+61656162363565633436373135333536623561663136303736393865623830633539376362363363
+3938333137343336626634346262363964316563643261310a366538363037343965363766646535
+61636239326464373039333462653562373933396665393039633266326234663335363337666439
+6137323332303533640a383062383135633762323561313666636566306531306636633466316536
+66623731626266333731303336323733343336626366343833633365616330343565363035323039
+35313961383131616133386663376331336639633137383137346164353632653939363266613562
+36316631366661353632386230306532633862393963663465383862653964646462666334396666
+66626636353539316266343937623662613336616331626439306538363764636366656635356639
+30663535393366383261333832356237373230663037373638303161303534636230616464636265
+37623938303638646233346338616239393838396433313063343065386666323264646461373032
+63376661646139316430303533643063336634333364643231336130613638626431623732646434
+63643833353164313465633333646232653761356333323933396666323837656334343866363762
+39646263653137356632323534356631366531636530613736343438393136363835373435636230
+30313163386335353935663432323033326235653963653930396235373863373232666334326661
+34336632666365666563326366376461386130343965363832343430396537323734363533353065
+64313837623366356261383437306465633730353332636561333462356363326132313933653234
+66363634333664333433613466396639306436353035346134373430663532373934343861323262
+30666664336336393835346234316238613839326436363162626439376530306133343530303365
+65393030633237333166336637363435646435323736353461333932366638333264333239373733
+30623062643336643431

inventories/prod/group_vars/docker_hosts.yml

@@ -1 +0,0 @@
-docker_ipv6_index: 255

inventories/prod/hosts

@@ -1,2 +1,2 @@
-[docker_hosts]
+[alpina]
 debbi.lab.home

inventories/staging/group_vars/all.yml

@@ -1,47 +1 @@
 domain: lab.cazzzer.com
-
-wg_privkey: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  31333936633664396332303835396261626463383139326538356363303832323533643636383364
-  3364613639616462313462313361363836396338623636660a376230646137346536393330393837
-  64363065396332316262386330313534636135303264636532373432356265383337306365363531
-  6533343563393062640a366364346136353361653033383731613764363762663865643031303663
-  62623562636563633038366465636430656231323431643236323461333134623633613464393439
-  3331663962646534353931336630333961616134343931343534
-
-wg_psk: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  31393235386262363733633063393031396532336161613138353931616364616165613131336138
-  3861323766326233383836613233333332306166633138300a373164306664393061643135646662
-  30626536646562363263303238663430393361653566306134373633626534643038326566616237
-  3233363838343466640a306364663738346235323535643465663330616235373266383233646263
-  31373332613461376235343431396431633733653865636636363733303466366430316431663730
-  6537663563613233353838303738653532633136663430383961
-
-wg_addresses: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  36613639386139353965346134663431343032626637326238303830653335633062633936373938
-  3633636637613033303362343038653262626165636537350a356136363730643738383264306662
-  34363731313730613164646138653235653363303033663637386230373161623965326265663439
-  6365643730373235320a323065336535356636646131666262636133643435633237396331653833
-  63393836393162623164633130393034643364373838313939346438623761326364316337343066
-  30643131636636643038366634663137643436323833326362373666393563316235306533373039
-  636233633762303639373239353661343162
-
-fw_vpn_input_ports: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;alpina
-  39326564343633633465376363396633396332636664383539373230633033383161626434643435
-  3539336531356336663638626630613934323162313639610a626637393637363837636631666534
-  38663031306536323866336365373565633634666561663636653938643538336630393061326564
-  3863363030346530630a343138623664323336353036343430323261393036373563393762663530
-  3730
-
-github_consumer_key: dbacb8621c37320eb745
-github_consumer_secret: !vault |
-          $ANSIBLE_VAULT;1.2;AES256;alpina
-          65393439653532323865356337353164666331653438396564613663363865643233323666316537
-          6365303062326139366139623232366338663831333333610a343035313364383738396635633737
-          32616366393365643565636337633334363637356435386235373638653139326665353537363939
-          3936336336663264310a343137653436323831366237376539353231656463663164316133376333
-          37373937356438373335663234616165663739626663663635316335333534333566326632346437
-          3539656334346163663635376533376362626235343466303430

inventories/staging/group_vars/alpina/vars.yml

@@ -0,0 +1,14 @@
+# Environment specific variables (staging)
+
+---
+docker_ipv6_index: 254
+
+# Arrstack VPN
+wg_privkey: "{{ vault_wg_privkey }}"
+wg_psk: "{{ vault_wg_psk }}"
+wg_addresses: "{{ vault_wg_addresses }}"
+fw_vpn_input_ports: "{{ vault_fw_vpn_input_ports }}"
+
+# Authentik GitHub OAuth
+github_consumer_key: dbacb8621c37320eb745
+github_consumer_secret: "{{ vault_github_consumer_secret }}"

inventories/staging/group_vars/alpina/vault.yml

@@ -0,0 +1,21 @@
+$ANSIBLE_VAULT;1.1;AES256
+63633535633462326534626562373461373363643166383961303861623531663263323534366537
+3263633238646439306430356365623233313838326639350a386633363434623737313565316535
+33393734633937333637373432366132323366343836393538366339626235613937323066613666
+3737393262646333390a623331333461373563313166323232343234616538623433376166313532
+32323834346336336164343938303062336438643566343866316164643535663039326331646465
+36666162393365323633646635333666613030386265306238633434303234336439646663356363
+63323638373035326465633934326363316364616539613462653232393465633233366666373664
+66616361646564303530356331323864343966633736643434653237316236363063613634646438
+35303238646632616465643264316164363139393834626362326538613033656464323435396638
+31346631653764303332386331663361623766333332366537313634636333346538653537346631
+62363438303036386530633236376633326162336434343861346261373835653735323161323965
+62353965373164616537346134303232363033323134323130316439386339613966646330666533
+65346239383230646565346133663530613462363532663562326136376233303638323332326630
+35656432363563653663616236393932663637323139666664636237336136366438656666633865
+66353162656364356638313236643131613830393838636264663833343461373963613431656364
+32303331623033303433333631313038316336653638656638373031653234356164333363336532
+37316334353463376562643138346633613633353536653939376564333166323931353634333736
+63616133663266383339323562343265613461623865623263623139396163343065623264366230
+32633362336335396562366563363830636133376238646433386236666461333731353337386333
+61323931643766326338

inventories/staging/group_vars/docker_hosts.yml

@@ -1 +0,0 @@
-docker_ipv6_index: 254

inventories/staging/hosts

@@ -1,2 +1,2 @@
-[docker_hosts]
+[alpina]
 etappi.lab.home

roles/alpina/collections/apps/arrstack/app_config.yml

@@ -1,8 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-66613933613334643836373939636238303035626535666161323634323837623565383337666232
-6166363839626433636231323434633164643033633466650a393032356231306436663563613734
-37316438306536316438383236373431333931373933323361623162323363623332333130653366
-6363616430353835620a366666303230313239393430326538346436626239663431316639633139
-33663261303864326162313235663536363332633731383636663165313061343863373333396536
-31336234306337393730343861636232643561356165393664633537623662353830613338363833
-306537353361653834656134383632306239

roles/alpina/collections/apps/gitea/app_config.yml

@@ -1,27 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-35303032386566343430633238343936366234333434343763666231666232633539303232383534
-3035346233346162373939333531613535353232626531640a646537616163353736653161326265
-31336530316335623335353661373834613264326436303933326135396166346562343136353931
-6439383039346465300a366266393130356630316630333336616565366562613038393239623738
-65626664643630353236333932373337333363626337386163613464306638633964663264363964
-30373661393531306662323134626664656233323762393037356434353066343830333033316365
-65616636613437663737306263373066306361376630616331663031346434336663393862316464
-62343339663461353934323063653566303932656264363562333136353665336263646230323832
-35376666303531383961646234663230663634393135326664386665633538616233613866373965
-64363361313232316336376631646662376565353536316438306361306261663532386564616566
-61663534393035343233326562303863646165346538393761326335376165623964396130393831
-64333665313461666335383134613831376138393061343238643661366439636534626265323865
-35393035336632653038623438626366373733626331633866373935616531623664303063376562
-31356332346164663364636235333461383437623161343338643839323765336237633266633864
-64363234646533616439313638363865373364623637636537623666383664656630333533303233
-64383734366666633832393230663739333435666138636462336332373061346239306136336263
-39643666303863303035313738343664636536663939616335303834333834363739303938646665
-66303637633239373461393434313036316563313132356432633337666537616363373830313034
-61313538633663653230643262613333306361666131663036643162343966313365653566393235
-36623832663034373734653664613038363137366437326565373761663963636336393536386435
-30393831326134376639366661653439616138643438646363343632346131306532663439396534
-32383661306539306635336262383563376561303862396532633362666266313562623336383235
-36366565633734633639653239306331333237353233326563653930653739316230666362323931
-39663931376562653530323434656436353166393836643238643632396430353034333034333665
-62323338373839383132323537353431636537616366393965643463316164323034316536383961
-6164333537633631646663333463306236613038326339643439

roles/alpina/collections/apps/gitea/templates/.env.db.j2

@@ -1,3 +0,0 @@
-POSTGRES_USER=gitea
-POSTGRES_DB=gitea
-POSTGRES_PASSWORD={{ db_password }}

roles/alpina/collections/apps/jellyfin/app_config.yml

@@ -1,6 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-61626665353536663033663661393434616339396434383530306265363837313839303939623465
-3634333839333530383464613966326238363738663637360a343837623832343232316565346131
-66663831356162653363383131396665326531363430656539333866313031306537343864343262
-3730643765633232620a643734623336646565663266656262343162613239306166386665333139
-6366

roles/alpina/collections/apps/nextcloud/app_config.yml

@@ -1,14 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-65313636646233613364363933616361346639653939346337303832646339316632383966666237
-3766396134383434613534373937663162393134306536300a626139373732393037346630333838
-63663439353238643532316231623866396434303034313130386635623363353263626362376334
-3933346434633662320a386432373465646432343338666561366161646335636232353133393933
-65313364666564353039626238383033343765323730316633356139326666623135326131353864
-32386237643538636538356261393164633137636235346564393930346539623731386633336339
-31303466653936343166366164383134306232613236663735623834393963306331376435616365
-31313866383730393063353335626164303632636331303830636530656131636139376633623439
-63663639323964623231343066373538633336353561646230363363643762393634643435306164
-31366364326237636365336363343264343562353337303235633034383635373934376334353336
-61373065386639643064303431623162373665363937353832313561386134613834613935653964
-64656339316165313936333736643030356366663162316462636662326134396539356262666536
-64336133393937396330353234316563356337623733326264363333373536633833

roles/alpina/collections/apps/nextcloud/templates/.env.j2

@@ -1 +0,0 @@
-NEXTCLOUD_VERSION=28-fpm-alpine

roles/alpina/collections/apps/nextcloud/templates/nginx.conf.j2

@@ -1,182 +0,0 @@
-# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/with-nginx-proxy/postgres/fpm/web/nginx.conf
-
-worker_processes auto;
-
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    # Prevent nginx HTTP Server Detection
-    server_tokens   off;
-
-    keepalive_timeout  65;
-
-    upstream php-handler {
-        server app:9000;
-    }
-
-    server {
-        listen 80;
-
-        # HSTS settings
-        # WARNING: Only add the preload option once you read about
-        # the consequences in https://hstspreload.org/. This option
-        # will add the domain to a hardcoded list that is shipped
-        # in all major browsers and getting removed from this list
-        # could take several months.
-        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-
-        # set max upload size
-        client_max_body_size 512M;
-        fastcgi_buffers 64 4K;
-
-        # Enable gzip but do not remove ETag headers
-        gzip on;
-        gzip_vary on;
-        gzip_comp_level 4;
-        gzip_min_length 256;
-        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
-        # Pagespeed is not supported by Nextcloud, so if your server is built
-        # with the `ngx_pagespeed` module, uncomment this line to disable it.
-        #pagespeed off;
-
-        # HTTP response headers borrowed from Nextcloud `.htaccess`
-        add_header Referrer-Policy                      "no-referrer"   always;
-        add_header X-Content-Type-Options               "nosniff"       always;
-        add_header X-Download-Options                   "noopen"        always;
-        add_header X-Frame-Options                      "SAMEORIGIN"    always;
-        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-        add_header X-Robots-Tag                         "none"          always;
-        add_header X-XSS-Protection                     "1; mode=block" always;
-
-        # Remove X-Powered-By, which is an information leak
-        fastcgi_hide_header X-Powered-By;
-
-        # Path to the root of your installation
-        root /var/www/html;
-
-        # Specify how to handle directories -- specifying `/index.php$request_uri`
-        # here as the fallback means that Nginx always exhibits the desired behaviour
-        # when a client requests a path that corresponds to a directory that exists
-        # on the server. In particular, if that directory contains an index.php file,
-        # that file is correctly served; if it doesn't, then the request is passed to
-        # the front-end controller. This consistent behaviour means that we don't need
-        # to specify custom rules for certain paths (e.g. images and other assets,
-        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
-        # `try_files $uri $uri/ /index.php$request_uri`
-        # always provides the desired behaviour.
-        index index.php index.html /index.php$request_uri;
-
-        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
-        location = / {
-            if ( $http_user_agent ~ ^DavClnt ) {
-                return 302 /remote.php/webdav/$is_args$args;
-            }
-        }
-
-        location = /robots.txt {
-            allow all;
-            log_not_found off;
-            access_log off;
-        }
-
-        # Make a regex exception for `/.well-known` so that clients can still
-        # access it despite the existence of the regex rule
-        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
-        # for `/.well-known`.
-        location ^~ /.well-known {
-            # The rules in this block are an adaptation of the rules
-            # in `.htaccess` that concern `/.well-known`.
-
-            location = /.well-known/carddav { return 301 /remote.php/dav/; }
-            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
-
-            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
-            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
-
-            # Let Nextcloud's API for `/.well-known` URIs handle all other
-            # requests by passing them to the front-end controller.
-            return 301 /index.php$request_uri;
-        }
-
-        # Rules borrowed from `.htaccess` to hide certain paths from clients
-        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
-        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
-
-        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
-        # which handle static assets (as seen below). If this block is not declared first,
-        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
-        # to the URI, resulting in a HTTP 500 error response.
-        location ~ \.php(?:$|/) {
-            # Required for legacy support
-            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
-
-            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-            set $path_info $fastcgi_path_info;
-
-            try_files $fastcgi_script_name =404;
-
-            include fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $path_info;
-            #fastcgi_param HTTPS on;
-
-            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
-            fastcgi_param front_controller_active true;     # Enable pretty urls
-            fastcgi_pass php-handler;
-
-            fastcgi_intercept_errors on;
-            fastcgi_request_buffering off;
-        }
-
-        location ~ \.(?:css|js|svg|gif)$ {
-            try_files $uri /index.php$request_uri;
-            expires 6M;         # Cache-Control policy borrowed from `.htaccess`
-            access_log off;     # Optional: Don't log access to assets
-        }
-
-        location ~ \.woff2?$ {
-            try_files $uri /index.php$request_uri;
-            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
-            access_log off;     # Optional: Don't log access to assets
-        }
-
-        # Rule borrowed from `.htaccess`
-        location /remote {
-            return 301 /remote.php$request_uri;
-        }
-
-        location / {
-            try_files $uri $uri/ /index.php$request_uri;
-        }
-
-        location ^~ /push/ {
-            proxy_pass http://notify_push:7867/;
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "Upgrade";
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        }
-    }
-}

roles/alpina/collections/services/authentik/app_config.yml

@@ -1,27 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-34666662336362656236356334333333396363393966626563643264306538333865623964373561
-3038373931313365383531333762616439396136633230610a626435336166633261323266656366
-36323335633865663538326331393635313766333639643861383738633835316533666463666363
-6139323764386533390a363361636361636163373162626135393662666436323265646233653039
-61353439356331393564363232303734626431333239633930373431616261306537393762383261
-64336234653536316236383065636364326433393334316531316438323430306437666431323063
-61383036336536343831633134636437633830346463336132653737376231666630383766656230
-37376137336264363765653535303166626138646366353466616333613964323762306166376537
-39633534336366333333316664326262353964386134333138316466303030636633383137613862
-32646332323039386365653736666435373436633531323034633064633033646466306331383835
-34386636386334396262666531356534663136393639623863326338643531346537353833663166
-35613438306432623731633566393661376533653731373130306262393137663533333230653165
-30653531636534656636393832383139626330383234376636313162373462313762666439323031
-39393063303566353733666237666165633562333962386331626164343434643964343735313265
-62313739376138656163623836663864616539336362626166336362633032326264313766346561
-62396132386333663030333639623130376130353837326630383162323931396638366331393632
-37383864666561323566383936353935396232363532356462366135313066633037306534393638
-33333439613065333432303466303635363933313036306364393434333737353361393830663032
-37636335393361343166343361396235316465373665663533663135373863663837313135343262
-66326539653033313431396163303135373462373564623863346630353964303061303434303137
-61613330363366346131396630656565333539353231623939383132303138353566653732306463
-64303961653865333738613834353333313063393064343535353562383862666561393465386135
-36373633303262343034393431613938363338346163396233663939613565306430663061623130
-66323464373438366265373937303636313530376138356433643632353461376365333535303531
-37616662323033633834343366626166363536383830356638633465333233663631396133653036
-3233323563333632303365333661386435353830313435666132

roles/alpina/collections/services/minio/app_config.yml

@@ -1,9 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-34333936316336663466376163333433336136386632356366363139343239393333623138623265
-3234373031623162623161383832613737393938653533630a353937373463626532306562316461
-62646637353039396536623735613931373230643135373964313232376561303530386566343266
-3261366363393335620a373162303030626461666164313432383263616237383230313937653435
-65346564653230643837613436633565363865616636303031636530623063646630623730383163
-66333864393362326462356531343039613061613466356237336365633339356464626162646538
-66633235613638653036326439333833306237626539653564653536376434666238383638376333
-32383637333766636337

roles/alpina/collections/services/monitoring/app_config.yml

@@ -1,19 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-61306635623363343430383032666564666533343661386663346334626137646137653533636461
-6466643635383162343463303536323563646439323333390a366134333630373464666334333037
-33303361383334353833633364313430636435326361343461616664623261616566306165663966
-6262323130623766380a336135333361656665356433346366386664623361343832363537633237
-34303437303035653136323964643761383261646131346466643663323665323166643364646262
-37363564346639393765376630313361663835343736336361313365313234303935393066646561
-61356432666130653230396435663064623462333537363962386534626566386630303638393332
-66353165643032373766633564653237333663663465363431343132353738663636373037656136
-39366430353632633461373939326330306530353762643764396233323835333030613165613334
-35623361656638356462363264336565383133346533343666663532306139653965383831393733
-30656462303234616566646336376234396430353466363062383935353162333363626565653665
-64343234333132663138633935656565303235626235633562363566393861363436323331643935
-33343030366563383735363233613830303930303762626365376338316436396238313565373562
-36343737373164653836613436646638336638393636303534303262643336356533313630306632
-64303138333834616662666332303266373932396263666239653133313936336531666536616338
-37613764376232333438383465346463313531613030323463666532383666376238303161356136
-39303236343837643039376266636334353530623764633161373434313962366430326166366333
-3733656135343438393961663334653330646562643865303339

roles/alpina/collections/services/traefik/app_config.yml

@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.2;AES256;alpina
-36343837633635363835346435333839633930656434343636623861663930333231303563313339
-6139343262316564306533396465393664356637666530310a616535376436323031386435643538
-31643935373036373839363863653434643263613731346666626163376266383635343866613536
-3835313930383238630a363138656533616337643839383330356432303236346335613464393565
-62363864323031343361643862356136316339643332393830373133656638333234656263613631
-63633837633965633033316338336338643937363131393338396661636331363538346131303564
-63313134636635663636363933373733633439663335356633313963326538663733373064303936
-37663461333664333631633838316661383733356366613531626134303236643739366361306262
-64363137666265366262373562386138313934313436363631636337373038613737

roles/alpina/tasks/deploy_collection.yml

@@ -1,18 +1,15 @@
 - name: Ensure {{ collection }} collection directory exists
   file:
-    path: "{{ my_svc_path }}/{{ collection }}"
+    path: "{{ alpina_svc_path }}/{{ collection }}"
     state: directory
     mode: "700"
 
 - name: Deploy docker compose stacks for {{ collection }}
   vars:
     current_stack_name: "{{ stack }}"
-    current_stack_dest: "{{ my_svc_path }}/{{ collection }}/{{ stack }}"
+    current_stack_dest: "{{ alpina_svc_path }}/{{ collection }}/{{ stack }}"
-    current_stack_source: "{{ role_path }}/collections/{{ collection }}/{{ stack }}"
+    current_stack_source: "{{ role_path }}/templates/{{ collection }}/{{ stack }}"
   include_tasks: deploy_compose_stack.yml
   loop: "{{ stacks }}"
   loop_control:
     loop_var: stack
-
-- debug:
-    var: acme_email

roles/alpina/tasks/deploy_compose_stack.yml

@@ -10,32 +10,25 @@
   file:
     path: "{{ current_stack_dest }}/{{ item.path }}"
     state: directory
-    mode: "700"
+    mode: "755"
-  loop: "{{ lookup('community.general.filetree', current_stack_source + '/templates') }}"
+  loop: "{{ lookup('community.general.filetree', current_stack_source) }}"
   when: item.state == "directory"
 
-# TODO: This is not ideal as it leaks the variables between stacks
-# But that's also not really a problem, as they won't conflict if everything is done right
-- name: Include variables for stack {{ stack }}
-  include_vars:
-    file: "{{ current_stack_source }}/app_config.yml"
-
 - name: Generate {{ current_stack_name }} deployment from templates
   template:
     src: "{{ item.src }}"
     dest: "{{ current_stack_dest }}/{{ item.path | regex_replace('\\.j2$', '') }}"
-    mode: "600"
+    mode: "644"
-  loop: "{{ lookup('community.general.filetree', current_stack_source + '/templates') }}"
+  loop: "{{ lookup('community.general.filetree', current_stack_source) }}"
   when: item.state == "file"
 
 - name: Deploy docker-compose for {{ current_stack_name }}
-  command: docker compose -f "{{ current_stack_dest }}/docker-compose.yml" up -d --pull always --remove-orphans
+  community.docker.docker_compose_v2:
+    project_src: "{{ current_stack_dest }}"
+    state: present
+    pull: always
+    remove_orphans: yes
   register: docker_compose_output
-  # Not perfect idempotency, but the built-in docker_compose module doesn't support docker-compose v2
-  # And of course there's an IPv6 bug in docker-compose v1, smh
-  # https://github.com/docker/compose/issues/7670
-  changed_when: "'created' in docker_compose_output.stderr.lower()"
-  failed_when: docker_compose_output.rc != 0
 
-- debug:
+# - debug:
-    var: docker_compose_output
+#     var: docker_compose_output

roles/alpina/tasks/main.yml

@@ -10,7 +10,7 @@
 - name: Ensure alpina directory exists
   file:
     state: directory
-    path: "{{ my_svc_path }}"
+    path: "{{ alpina_svc_path }}"
     mode: "700"
 
 - name: Deploy collection services

roles/alpina/templates/apps/arrstack/.env.gluetun.j2

@@ -21,8 +21,7 @@
 ## AirVPN
 VPN_SERVICE_PROVIDER=airvpn
 VPN_TYPE=wireguard
-SERVER_NAMES=Bunda,Imai,Saclateni
+SERVER_NAMES={{ vpn_server_names }}
-#SERVER_NAMES=Bunda
 WIREGUARD_PUBLIC_KEY={{ wg_peer_pubkey }}
 WIREGUARD_PRIVATE_KEY={{ wg_privkey }}
 WIREGUARD_PRESHARED_KEY={{ wg_psk }}

roles/alpina/templates/apps/gitea/.env.db.j2

@@ -0,0 +1,3 @@
+POSTGRES_USER=gitea
+POSTGRES_DB=gitea
+POSTGRES_PASSWORD={{ gitea_db_password }}

roles/alpina/templates/apps/gitea/.env.gitea.j2

@@ -3,9 +3,9 @@ GITEA____APP_NAME=CazGitea
 # Database
 GITEA__database__DB_TYPE=postgres
 GITEA__database__HOST=db:5432
-GITEA__database__NAME={{ db_user }}
+GITEA__database__NAME=gitea
-GITEA__database__USER={{ db_name }}
+GITEA__database__USER=gitea
-GITEA__database__PASSWD={{ db_password }}
+GITEA__database__PASSWD={{ gitea_db_password }}
 
 # Server
 GITEA__server__ROOT_URL=https://gitea.{{ domain }}/
@@ -17,7 +17,7 @@ GITEA__mailer__SMTP_ADDR=smtp.sendgrid.net
 GITEA__mailer__SMTP_PORT=587
 GITEA__mailer__FROM=gitea@cazzzer.com
 GITEA__mailer__USER=apikey
-GITEA__mailer__PASSWD={{ sendgrid_api_key }}
+GITEA__mailer__PASSWD={{ gitea_sendgrid_api_key }}
 
 # Security
 GITEA__security__SECRET_KEY={{ secret_key }}

roles/alpina/templates/apps/gitea/docker-compose.yml.j2

@@ -7,7 +7,7 @@ networks:
 
 services:
   server:
-    image: gitea/gitea:1.21
+    image: gitea/gitea:1.22
     container_name: gitea_server
     labels:
       - {{ helpers.traefik_labels('gitea', port='3000') | indent(6) }}
@@ -22,7 +22,7 @@ services:
     depends_on:
       - db
   db:
-    image: postgres:14-alpine
+    image: postgres:16-alpine
     container_name: gitea_db
     restart: unless-stopped
     env_file:

roles/alpina/templates/apps/nextcloud/.env.db.j2

@@ -1,3 +1,3 @@
 POSTGRES_USER=nextcloud
 POSTGRES_DB=nextcloud
-POSTGRES_PASSWORD={{ db_password }}
+POSTGRES_PASSWORD={{ nextcloud_db_password }}

roles/alpina/templates/apps/nextcloud/.env.j2

@@ -0,0 +1 @@
+NEXTCLOUD_VERSION=29-apache

roles/alpina/templates/apps/nextcloud/.env.nextcloud.j2

@@ -1,6 +1,6 @@
 POSTGRES_DB=nextcloud
 POSTGRES_USER=nextcloud
-POSTGRES_PASSWORD={{ db_password }}
+POSTGRES_PASSWORD={{ nextcloud_db_password }}
 POSTGRES_HOST=db
 
 NEXTCLOUD_TRUSTED_DOMAINS=nc.{{ domain }}
@@ -13,11 +13,12 @@ SMTP_SECURE=tls
 SMTP_PORT=587
 SMTP_AUTHTYPE=LOGIN
 SMTP_NAME=apikey
-SMTP_PASSWORD={{ sendgrid_api_key }}
+SMTP_PASSWORD={{ nextcloud_sendgrid_api_key }}
 MAIL_FROM_ADDRESS=nc
 MAIL_DOMAIN=cazzzer.com
 
-TRUSTED_PROXIES={{ traefik_subnet }}
+# host IPv4 and IPv6 addresses, loopback for notify_push
+TRUSTED_PROXIES={{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} {{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }} 127.0.0.1 ::1
 OVERWRITEHOST=nc.{{ domain }}
 OVERWRITEPROTOCOL=https
 OVERWRITECLIURL=https://nc.{{ domain }}

roles/alpina/templates/apps/nextcloud/.env.notify_push

@@ -0,0 +1,4 @@
+DATABASE_URL=postgres://nextcloud:{{ nextcloud_db_password }}@db/nextcloud
+DATABASE_PREFIX=oc_
+REDIS_URL=redis://:{{ redis_password }}@redis
+NEXTCLOUD_URL=http://localhost

roles/alpina/templates/apps/nextcloud/docker-compose.yml.j2

@@ -10,6 +10,8 @@ services:
   app:
     image: nextcloud:${NEXTCLOUD_VERSION}
     container_name: nextcloud_app
+    labels:
+      - {{ helpers.traefik_labels('nc', port='80') | indent(6) }}
     restart: unless-stopped
     depends_on:
       - db
@@ -40,21 +42,28 @@ services:
   notify_push:
     image: nextcloud:${NEXTCLOUD_VERSION}
     container_name: nextcloud_notify_push
+    {# TODO: Refactor this and minio -#}
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.nc-notify.rule=Host(`nc.{{ domain }}`) && PathPrefix(`/push`)
+      - traefik.http.routers.nc-notify.entrypoints=websecure
+      - traefik.http.routers.nc-notify.tls=true
+      - traefik.http.routers.nc-notify.tls.certresolver=letsencrypt
+      - traefik.http.routers.nc-notify.tls.domains.0.main={{ domain }}
+      - traefik.http.routers.nc-notify.tls.domains.0.sans=*.{{ domain }}
+      - traefik.http.services.nc-notify.loadbalancer.server.port=7867
     restart: unless-stopped
-    depends_on:
+    user: www-data
-      - app
+    env_file:
+      - .env.notify_push
+    network_mode: service:app
     entrypoint:
       - /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push
-      - /var/www/html/config/config.php
-    networks:
-      - default
     volumes:
       - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
-      - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
-      - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data
 
   db:
-    image: postgres:13-alpine
+    image: postgres:16-alpine
     container_name: nextcloud_db
     restart: unless-stopped
     env_file:
@@ -65,7 +74,7 @@ services:
       - {{ base_volume_path }}/nextcloud/db:/var/lib/postgresql/data
 
   redis:
-    image: redis:7-alpine
+    image: redis:alpine
     container_name: nextcloud_redis
     restart: unless-stopped
     env_file:
@@ -76,20 +85,3 @@ services:
       - sh
       - -c
       - redis-server --requirepass $$REDIS_PASSWORD
-
-  web:
-    image: nginx:1.23-alpine
-    container_name: nextcloud_web
-    labels:
-      - {{ helpers.traefik_labels('nc') | indent(6) }}
-    restart: unless-stopped
-    links:
-      - app
-    networks:
-      - traefik_traefik
-      - default
-    volumes:
-      - ./nginx.conf:/etc/nginx/nginx.conf:ro
-      - {{ base_volume_path }}/nextcloud/nextcloud:/var/www/html
-      - {{ base_volume_path }}/nextcloud/nextcloud_config:/var/www/html/config
-      - {{ base_volume_path }}/nextcloud/nextcloud_data:/var/www/html/data

roles/alpina/templates/services/authentik/.env.authentik.j2

@@ -4,14 +4,14 @@ AUTHENTIK_REDIS__HOST=redis
 AUTHENTIK_POSTGRESQL__HOST=postgres
 AUTHENTIK_POSTGRESQL__USER=authentik
 AUTHENTIK_POSTGRESQL__NAME=authentik
-AUTHENTIK_POSTGRESQL__PASSWORD={{ db_password }}
+AUTHENTIK_POSTGRESQL__PASSWORD={{ authentik_db_password }}
 
 AUTHENTIK_SECRET_KEY={{ authentik_secret_key }}
 
 AUTHENTIK_EMAIL__HOST=smtp.sendgrid.net
 AUTHENTIK_EMAIL__PORT=587
 AUTHENTIK_EMAIL__USERNAME=apikey
-AUTHENTIK_EMAIL__PASSWORD={{ sengrid_api_key }}
+AUTHENTIK_EMAIL__PASSWORD={{ authentik_sendgrid_api_key }}
 
 AUTHENTIK_EMAIL__USE_TLS=true
 AUTHENTIK_EMAIL__TIMEOUT=10

roles/alpina/templates/services/authentik/.env.db.j2

@@ -1,3 +1,3 @@
 POSTGRES_USER=authentik
 POSTGRES_DB=authentik
-POSTGRES_PASSWORD={{ db_password }}
+POSTGRES_PASSWORD={{ authentik_db_password }}

roles/alpina/templates/services/authentik/docker-compose.yml.j2

@@ -37,7 +37,7 @@ services:
       - {{ base_volume_path }}/authentik/certs:/certs
 
   postgres:
-    image: postgres:12-alpine
+    image: postgres:16-alpine
     container_name: authentik_postgres
     restart: unless-stopped
     env_file:

roles/alpina/templates/services/minio/docker-compose.yml.j2

@@ -13,7 +13,7 @@ services:
       - {{ helpers.traefik_labels('minio', port='9090') | indent(6) }}
       - traefik.http.routers.minio.service=minio
       - traefik.http.routers.minio-tls.service=minio
-      - traefik.http.routers.minio-s3.rule=HostRegexp(`s3.{{ domain }}`, `{subdomain:.+}.s3.{{ domain }}`)
+      - traefik.http.routers.minio-s3.rule=Host(`s3.{{ domain }}`) || HostRegexp(`^.+[.]s3[.]{{ domain }}`)
       - traefik.http.routers.minio-s3.entrypoints=websecure
       - traefik.http.routers.minio-s3.tls=true
       - traefik.http.routers.minio-s3.tls.certresolver=letsencrypt

roles/alpina/templates/services/monitoring/.env.alertmanager.j2

@@ -0,0 +1 @@
+DISCORD_WEBHOOK={{ alertmanager_discord_webhook }}

roles/alpina/templates/services/monitoring/alertmanager_config/alertmanager.yml.j2

@@ -0,0 +1,68 @@
+# The root route on which each incoming alert enters.
+route:
+  group_by: ["alertname", "job"]
+  group_wait: 20s
+  group_interval: 5m
+  repeat_interval: 3h
+  receiver: discord_webhook
+
+receivers:
+  - name: "discord_webhook"
+    discord_configs:
+      - webhook_url: "{{ alertmanager_discord_webhook }}"
+{#        - send_resolved: true#}
+{#            username: 'Alertmanager'#}
+{#            webhook_configs:#}
+{#            - send_resolved: true#}
+{#                url: '{{ alertmanager_discord_webhook }}'#}
+{#                username: 'Alertmanager'#}
+{#                icon_url: 'https://prometheus.io/assets/icon.png'#}
+{#                icon_emoji: ':alert:'#}
+{#                send_resolved: true#}
+{#                text: "{{ .CommonAnnotations.summary }}"#}
+{#                title: "{{ .CommonLabels.alertname }}"#}
+{#                color: '{{ if eq .Status "firing" }}#FF0000{{ else }}#00FF00{{ end }}'#}
+{#                footer: '{{ .CommonLabels.monitor }}'#}
+{#                footer_icon: 'https://prometheus.io/assets/icon.png'#}
+{#                actions:#}
+{#                - type: 'button'#}
+{#                    text: 'Open in Grafana'#}
+{#                    url: '{{ .ExternalURL }}'#}
+{#                    style: 'primary'#}
+{#                    send_resolved: true#}
+{#                    confirm:#}
+{#                    title: 'Are you sure?'#}
+{#                    text: 'This will open Grafana in a new tab.'#}
+{#                    ok_text: 'Yes'#}
+{#                    dismiss_text: 'No'#}
+{#                fields:#}
+{#                - title: 'Description'#}
+{#                    value: "{{ .CommonAnnotations.description }}"#}
+{#                    short: false#}
+{#                - title: 'Details'#}
+{#                    value: "{{ .CommonAnnotations.details }}"#}
+{#                    short: false#}
+{#                - title: 'Severity'#}
+{#                    value: '{{ if eq .Labels.severity "critical" }}Critical{{ else if eq .Labels.severity "warning" }}Warning{{ else }}Info{{ end }}'#}
+{#                    short: true#}
+{#                - title: 'Host'#}
+{#                    value: '{{ .CommonLabels.monitor }}'#}
+{#                    short: true#}
+{#                - title: 'Starts At'#}
+{#                    value: '{{ .StartsAt.Format "2006-01-02 15:04:05" }}'#}
+{#                    short: true#}
+{#                - title: 'Ends At'#}
+{#                    value: '{{ .EndsAt.Format "2006-01-02 15:04:05" }}'#}
+{#                    short: true#}
+{#                - title: 'Runbook'#}
+{#                    value: '{{ .CommonAnnotations.runbook_url }}'#}
+{#                    short: true#}
+{#                - title: 'Dashboard'#}
+{#                    value: '{{ .CommonAnnotations.dashboard_url }}'#}
+{#                    short: true#}
+{#                - title: 'Alerting Rule'#}
+{#                    value: '{{ .CommonLabels.alertname }}'#}
+{#                    short: true#}
+{#                - title: 'Alerting Rule Description'#}
+{#                    value: '{{ .CommonLabels.alertname }}'#}
+{#                    short: true#}

roles/alpina/templates/services/monitoring/docker-compose.yml.j2

@@ -66,6 +66,24 @@ services:
       - {{ base_volume_path }}/monitoring/prometheus_configs:/etc/prometheus/extra:ro
       - {{ base_volume_path }}/monitoring/prometheus:/prometheus
 
+  alertmanager:
+    image: prom/alertmanager:latest
+    container_name: alertmanager
+    restart: unless-stopped
+    # Needed to make config files readable
+    # user: "{{ remote_uid }}"
+    command:
+      - --config.file=/etc/alertmanager/alertmanager.yml
+    volumes:
+      - ./alertmanager_config:/etc/alertmanager:ro
+
+#  alerts-discord:
+#    image: rogerrum/alertmanager-discord:1.0.6
+#    container_name: alerts-discord
+#    restart: unless-stopped
+#    env_file:
+#      - .env.alertmanager
+
   node-exporter:
     image: prom/node-exporter:latest
     container_name: node-exporter
@@ -99,16 +117,6 @@ services:
     volumes:
       - {{ base_volume_path }}/monitoring/influxdb:/var/lib/influxdb2
 
-  jaeger:
-    image: jaegertracing/all-in-one:1
-    container_name: jaeger
-    restart: unless-stopped
-    ports:
-      - 5778:5778
-      - 6831:6831/udp
-    volumes:
-      - {{ base_volume_path }}/monitoring/jaeger:/jaeger
-
   uptime-kuma:
     image: louislam/uptime-kuma:1
     container_name: uptime-kuma

roles/alpina/templates/services/monitoring/grafana_config/provisioning/datasources/alpina.yaml.j2

@@ -15,6 +15,19 @@ datasources:
     url: http://prometheus:9090
     editable: false
 
+  - name: Alertmanager
+    type: alertmanager
+    access: proxy
+    uid: alertmanager
+    url: http://alertmanager:9093
+    jsonData:
+      # Valid options for implementation include mimir, cortex and prometheus
+      implementation: prometheus
+      # Whether Grafana should send alert instances to this Alertmanager
+      ha
+      ndleGrafanaManagedAlerts: false
+    editable: false
+
   - name: InfluxDB
     type: influxdb
     access: proxy
@@ -27,20 +40,3 @@ datasources:
     secureJsonData:
       token: {{ influxdb_admin_token }}
     editable: false
-
-  - name: Jaeger
-    type: jaeger
-    access: proxy
-    uid: jaeger
-    url: http://jaeger:16686
-    editable: false
-    jsonData:
-      tracesToLogsV2:
-        datasourceUid: loki
-        spanStartTimeShift: 1h
-        spanEndTimeShift: -1h
-        tags: []
-        filterByTraceID: false
-        filterBySpanID: false
-        customQuery: true
-        query: '{container_name=~".*$${__span.tags["traefik.service.name"]}.*"}'

roles/alpina/templates/services/monitoring/prometheus_config/demo-alerts.yml.j2

@@ -0,0 +1,20 @@
+groups:
+  - name: demo-service-alerts
+    rules:
+      - alert: DemoServiceHighErrorRate
+        expr: |
+          (
+            sum without(status, instance) (
+              rate(demo_api_request_duration_seconds_count{status=~"5..",job="demo"}[1m])
+            )
+          /
+            sum without(status, instance) (
+              rate(demo_api_request_duration_seconds_count{job="demo"}[1m])
+            ) * 100 > 0.5
+          )
+        for: 1m
+        labels:
+          severity: critical
+        annotations:
+          title: 'High 5xx rate for {{'{{ $labels.method }}'}} on {{'{{ $labels.path }}'}}'
+          description: 'The 5xx error rate for path {{'{{ $labels.path }}'}} with method {{'{{ $labels.method }}'}} in {{'{{ $labels.job }}'}} is {{'{{ printf "%.2f" $value }}'}}%.'

roles/alpina/templates/services/monitoring/prometheus_config/prometheus.yml.j2

@@ -5,6 +5,11 @@ global:
   external_labels:
     monitor: "{{ ansible_host }}"
 
+alerting:
+  alertmanagers:
+    - static_configs:
+        - targets: ["alertmanager:9093"]
+
 scrape_configs:
   - job_name: "prometheus"
     static_configs:
@@ -30,7 +35,15 @@ scrape_configs:
     static_configs:
       - targets: ["promtail:9080"]
 
+  - job_name: 'demo'
+    static_configs:
+      - targets:
+          - 'demo.promlabs.com:10000'
+          - 'demo.promlabs.com:10001'
+          - 'demo.promlabs.com:10002'
+
 rule_files:
+  - "/etc/prometheus/demo-alerts.yml"
   - "/etc/prometheus/extra/rules/*.yml"
   - "/etc/prometheus/extra/rules/*.json"
 

roles/alpina/templates/services/traefik/docker-compose.yml.j2

@@ -12,7 +12,7 @@ networks:
 
 services:
   traefik:
-    image: traefik:v2.10
+    image: traefik:v3.0
     container_name: traefik
     restart: unless-stopped
     env_file:

roles/alpina/templates/services/traefik/traefik.yml.j2

@@ -8,9 +8,6 @@ accessLog:
   filePath: /logs/access.log
   bufferingSize: 100
 
-experimental:
-  http3: true
-
 entryPoints:
   web:
     address: ":80"
@@ -25,10 +22,6 @@ metrics:
   prometheus:
     entryPoint: metrics
 
-tracing:
-  jaeger:
-    samplingServerURL: http://localhost:5778/sampling
-
 certificatesResolvers:
   letsencrypt:
     acme:

roles/docker_host/tasks/main.yml

@@ -58,7 +58,7 @@
 
 - name: Clean alpina directory
   file:
-    path: "{{ my_svc_path }}"
+    path: "{{ alpina_svc_path }}"
     state: absent
   when: clean_desired is true
 

services.yml

@@ -1,4 +1,4 @@
-- hosts: docker_hosts
+- hosts: alpina
   roles:
     - docker_host
     - alpina